#Salesforce-Datenklau: Cybergangs erpressen namhafte Unternehmen auf Leaksite | heise online https://www.heise.de/news/Salesforce-Datenklau-Cybergangs-erpressen-namhafte-Unternehmen-auf-Leaksite-10726346.html #Datenschutz #privacy #DataLeak #Datenleck #SocialEngineering #ScatteredSpider #ScatteredLapsusHunters #ShinyHunters #Lapsus #unc6040
#UNC6040
#Salesforce says it won’t pay #extortion demand in 1 billion records #breach
The threat group behind the campaign is calling itself #ScatteredLAPSUS$ Hunters, a mashup of three prolific data-extortion actors: #ScatteredSpider , #LAPSuS$ , and #ShinyHunters. #Mandiant, meanwhile, tracks the group as #UNC6040, because the researchers so far have been unable to positively identify the connections.
#privacy #security
ShinyHunters Wage Broad Corporate Extortion Spree - A cybercriminal group that used voice phishing attacks to siphon more than a billion reco... https://krebsonsecurity.com/2025/10/shinyhunters-wage-broad-corporate-extortion-spree/ #scatteredlapsus$hunters #oraclee-businesssuite #crimsoncollective #neer-do-wellnews #alittlesunshine #charlescarmakal #latestwarnings #thecomingstorm #cve-2025-61882 #austinlarsen #shinyhunters #ransomware #salesforce #salesloft #asyncrat #unc6040 #unc6395
ShinyHunters Wage Broad Corporate Extortion Spree
https://krebsonsecurity.com/2025/10/shinyhunters-wage-broad-corporate-extortion-spree/
#ScatteredLAPSUS$Hunters #OracleE-BusinessSuite #Ne'er-Do-WellNews #CharlesCarmichael #CrimsonCollective #ALittleSunshine #LatestWarnings #TheComingStorm #CVE-2025-61882 #AustinLarsen #ShinyHunters #Ransomware #Salesforce #Salesloft #ASYNCRAT #UNC6040 #UNC6395
Hacker behaupten: "Wir haben 1,5 Milliarden #Salesforce-Datensätze" - inside-it[.]ch https://www.inside-it.ch/hacker-behaupten-wir-haben-1%252C5-milliarden-salesforce-datensaetze-20250919 #Shinyhunters #SocialEngineering #ScatteredSpiders #UNC6040 #UNC6395 #Hacking #Datenschutz #privacy #DataLeak #Datenleck
"The ShinyHunters extortion group claims to have stolen over 1.5 billion Salesforce records from 760 companies using compromised Salesloft Drift OAuth tokens.
[...]
In March, one of the threat actors breached Salesloft's GitHub repository, which contained the private source code for the company.
ShinyHunters told BleepingComputer that the threat actors used the TruffleHog security tool to scan the source code for secrets, which resulted in the finding of OAuth tokens for the Salesloft Drift and the Drift Email platforms."
Read more of Lawrence Abrams' great reporting on Bleeping Computer:
https://www.bleepingcomputer.com/news/security/shinyhunters-claims-15-billion-salesforce-records-stolen-in-drift-hacks/
#Salesforce #Salesloft #Oauth #Drift #databreach #ransom #ShinyyHunters #ScatteredSpider #LAPSUS$ #UNC6040 #UNC6395
So many news reports have repeated the BBC's mistaken estimate about the number of customers affected by the Kering data breaches. So...
No, folks, it's not 7.4 million affected or fewer. It's a lot more because the BBC's estimate was based on just the second and smaller breach (Balenciaga, Brioni, and Alexander McQueen), and not the Gucci data which allegedly has more than 43 million records. Even assuming repeat customers are in there, there are likely a lot of unique customers in the Gucci data.
If we use the same percent based on 7.4 million out of almost 13 million recordsin the second data set, then that would yield 24-25 million unique email addresses for the Gucci data set, for an estimated total of more than 31 million customers all told.
I didn't estimate the number of unique customers in my reporting because it's too sloppy. But it's highly unlikely to be 7.4 million or fewer as BBC reported.
#Kering #Gucci #Balenciaga #Brioni #AlexanderMcQueen #databreach #Salesforce #ShinyHunters #UNC6040 #incidentresponse #transparency
Last week, I broke the story about Gucci and other Kering brands being hacked by ShinyHunters as part of the Salesforce campaign. In my reporting, I included chat logs and other exclusive details. You can read my original reporting here: https://databreaches.net/2025/09/11/exclusive-high-end-fashion-retailers-gucci-balenciaga-brion-and-alexander-mcqueen-hit-by-salesforce-attacks/
There is now an update that refutes Kering's reported claim today that they didn't have any conversations with the hackers. I also highlight their failures to be more transparent about the incidents:
https://databreaches.net/2025/09/15/update-kering-confirms-gucci-and-other-brands-hacked-claims-no-conversations-with-hackers/
#databreach #Salesforce #ShinyHunters #Gucci #Brioni #Balenciaga #KERING #AlexanderMcQueen #UNC6040
Cyber Criminal Groups UNC6040 and UNC6395 Compromising Salesforce Instances for Data Theft and Extortion
#UNC6040 #UNC6395
https://www.ic3.gov/CSA/2025/250912.pdf
#FBI warns of Salesforce attacks by #UNC6040 and #UNC6395 groups
https://securityaffairs.com/182159/cyber-crime/fbi-warns-of-salesforce-attacks-by-unc6040-and-unc6395-groups.html
#securityaffairs #hacking
The Ongoing Fallout from a Breach at AI Chatbot Maker Salesloft
https://krebsonsecurity.com/2025/09/the-ongoing-fallout-from-a-breach-at-ai-chatbot-maker-salesloft/
#GoogleThreatIntelligenceGroup #ALittleSunshine #CharlesCarmakal #ScatteredSpider #LatestWarnings #TheComingStorm #SalesloftDrift #DataBreaches #AustinLarsen #JoshuaWright #ShinyHunters #CounterHack #Salesforce #AlanLiska #Mandiant #UNC6040 #UNC6395 #google
The Ongoing Fallout from a Breach at AI Chatbot Maker Salesloft - The recent mass-theft of authentication tokens from Salesloft, whose AI chatbot is... https://krebsonsecurity.com/2025/09/the-ongoing-fallout-from-a-breach-at-ai-chatbot-maker-salesloft/ #googlethreatintelligencegroup #alittlesunshine #charlescarmakal #scatteredspider #latestwarnings #thecomingstorm #salesloftdrift #databreaches #austinlarsen #joshuawright #shinyhunters #counterhack #salesforce #alanliska #mandiant #unc6040
Last night I put together this "fused" threat assessment of the UNC6040 activity cluster in an attempt to provide slightly better overarching view of what's going on.
I find the ShinyHunters (UNC6040/UNC6240) Salesforce Campaign really interesting, because it highlights the impact of two key threat vectors/types that - in my conversations , at least - aren't being accounted for by traditional TI teams.
1. Data Theft & Extorsion Actors
2. Actors capitalising on 3rd Party Platform Applications
Curious to know - do your orgs track and threat model opportunistic Data Theft and Extorsion Actors, or just focus on the APTs and ransomware groups of the world?
The largest ransom payment in history was $75 million to the Dark Angels Ransomware group in 2024, purportedly by pharma giant Cencora. With 27TB of corporate data stolen from the org and no mention of ransomware being deployed, the eye-watering payment was to prevent leaking/sale of the stolen data which included customer "names, addresses, dates of birth, diagnoses, prescriptions and medications."
The group weren't well known prior to the attack, and the absence of ransomware being deployed highlights the need to prioritise the identification and protection of sensitive data and customer PII - agnostic of whatever group might seek to target it.
Also, we're all aware of Malicious OAuth applications in o365, but are your orgs aware of; monitoring, and locking down 3rd party platform integrations?
For those unaware of the campaign, here's the AI-generated TLDR of a Google report in the activity: Https://cloud.google.com/blog/topics/threat-intelligence/voice-phishing-data-extortion
Threat Summary: UNC6040/ShinyHunters Voice Phishing and Data Extortion Campaign
Key Points & Technical Summary:
A financially motivated threat cluster, tracked by Google as UNC6040, has been conducting a widespread campaign targeting organizations' Salesforce CRM instances. The campaign's primary objective is large-scale data theft for the purpose of extortion, which is carried out by a related cluster, UNC6240. This group often uses the moniker ShinyHunters in their communications with victims.
The core of the attack vector is a sophisticated voice phishing (vishing) campaign. The threat actors impersonate corporate IT support personnel in phone calls to employees of the targeted organization.
The primary technical steps of the attack are as follows:
* Social Engineering: The actor guides the targeted employee to Salesforce's connected app setup page.
* Malicious App Authorization: The employee is convinced to authorize a malicious version of the "Data Loader" application. This is done by having the employee enter a connection code provided by the attacker, which links the attacker-controlled application to the victim's Salesforce environment.
* Data Exfiltration: Once the malicious app is authorized, UNC6040 gains significant API access, allowing them to query and exfiltrate sensitive data from the Salesforce instance. While initially leveraging modified versions of the Salesforce Data Loader, the group has evolved its tooling to include custom Python-based scripts for data extraction.
* Anonymization: The attackers utilize services like Mullvad VPN and TOR exit nodes to initiate the vishing calls and for data exfiltration, complicating attribution and tracking efforts.
* Extortion: Following the data theft, UNC6240 initiates contact with the victim organization, demanding a ransom payment in Bitcoin, typically within a 72-hour timeframe, to prevent the public release of the stolen data. The group is also reportedly preparing to launch a dedicated data leak site to increase pressure on victims.
Additional Context & Related Activity
Activity Cluster:
The activity is attributed to the cluster pair UNC6040 (initial access and data theft) and UNC6240 (extortion). This group leverages the reputation of the well-known ShinyHunters extortion group to intimidate victims. The cluster is financially motivated and has demonstrated a growing sophistication in its social engineering tactics and technical tooling.
Other Compromises & Targets:
This campaign has impacted numerous high-profile organizations across various sectors. Besides Google, other publicly confirmed victims of this campaign include:
* Cisco
* Chanel
* Adidas
The targeting appears to be opportunistic, focusing on multinational corporations that are heavy users of Salesforce CRM. There has been an initial focus on English-speaking employees.
Techniques & TTPs:
Beyond the core vishing-to-malicious-app-authorization chain, other observed Tactics, Techniques, and Procedures (TTPs) include:
* Credential Targeting: In some cases, the actors have targeted Okta credentials, likely obtained through prior infostealer malware infections or separate phishing campaigns.
* Lateral Movement: Using compromised credentials, the actors have been observed moving laterally within victim networks to access and exfiltrate data from other systems, including Microsoft 365.
* Reconnaissance: The group conducts thorough reconnaissance to craft convincing narratives, identifying internal application names and IT support procedures to make their vishing calls more credible.
Timeline:
* June 4, 2025: Google's Threat Intelligence Group (GTIG) first publishes a warning about the rise in vishing and extortion activity targeting Salesforce customers, designating the threat actor as UNC6040.
* June 2025: Google becomes a victim of the same campaign, with one of its own corporate Salesforce instances being breached. The compromised data was related to small and medium-sized business contacts.
* July 24, 2025: Cisco identifies a similar breach of its CRM system resulting from a vishing attack.
* Early August 2025: Google, Cisco, and other victims publicly disclose the breaches. Google updates its original blog post to include the fact that it was also a victim. Extortion demands from UNC6240/ShinyHunters follow these disclosures.
#CyberSecurity #ThreatIntelligence #ShinyHunters #DataExtortion #SalesforceSecurity #Vishing #ThirdPartyRisk #ThreatModeling #IncidentResponse #UNC6040 #UNC6240 #Ransomware #Salesforce #InformationSecurity #Infosec #Cybersec #ThreatIntel
#Cisco #Google #CyberAttack
🚨 @Google confirms it was impacted by the Salesforce phishing campaign linked to ShinyHunters.
☑️ Attack vector: UNC6040 social engineering
☑️ Data: SMB contact details
☑️ Extortion followed via UNC6240
🧠 With platforms like Salesforce not breached directly, are orgs overlooking the phishing surface?
#Google #CyberSecurity #Salesforce #Phishing #ShinyHunters #UNC6040 #DataBreach #InfoSec
Google confirms ShinyHunters (UNC6040) breached its internal Salesforce database via a vishing scam, affecting SMB customer data.
Read: https://hackread.com/google-salesforce-data-breach-shinyhunters-vishing-scam/
#CyberSecurity #ShinyHunters #UNC6040 #Salesforce #DataBreach #Google
Google and Cisco, have disclosed separate data breaches stemming from voice phishing (vishing) attacks that compromised customer information stored in cloud-based CRM systems.
#salesforce #cisco #google #shinyhunters #infosec #cybersecurity #technews #UNC6040
Google says hackers stole its customers’ data by breaching its Salesforce database
Google said one of its Salesforce database systems, used to store contact information and related notes for small and medium-sized businesses, was breached by a hacking group
#Google #salesforce #shinyhunters #UNC6040 #databreach #security #cybersecurity #hackers #hacking #hacked
Client Info
Server: https://mastodon.social
Version: 2025.07
Repository: https://github.com/cyevgeniy/lmst